Page 1 of 1
Encrypt the password in the database
Posted: Wed Oct 31, 2012 10:41 am
by denis
For now, AdminUser's password and customer's password are stored with no encryption in the database.
To improve the security, you should encrypt the password (with md5 for exemple).
Best regards
Re: Encrypt the password in the database
Posted: Wed Oct 31, 2012 1:42 pm
by phillipuniverse
We have abilities to do this currently in Broadleaf with some configuration. We decided to keep this simple and just store plain-text. And it's actually best to use MD5 with a salt.
You can change the password encoding by adding something like this to your applicationContext-admin-security:
Code: Select all
<!-- The BLC Admin authentication manager -->
<sec:authentication-manager alias="blAdminAuthenticationManager">
<sec:authentication-provider user-service-ref="blAdminUserDetailsService">
<sec:password-encoder ref="blPasswordEncoder">
<sec:salt-source system-wide="someSalt" />
</sec:password-encoder>
</sec:authentication-provider>
</sec:authentication-manager>
And then adding this in your applicationContext-admin.xml:
Code: Select all
<bean id="blPasswordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />
<bean id="blAdminSecurityService" class="org.broadleafcommerce.openadmin.server.security.service.AdminSecurityServiceImpl">
<!-- this value must match what you have in applicationContext-security -->
<property name="salt" value="someSalt" />
</bean>
Alternatively, you can use a 'user-property' for the salt source in the password encoder rather than 'system-wide', which will prevent you from having to override the blAdminSecurityService bean. More info:
http://static.springsource.org/spring-s ... alt-source
Re: Encrypt the password in the database
Posted: Wed Oct 31, 2012 1:42 pm
by phillipuniverse
You will need to make similar changes in the frontend as well to ensure proper password encryption.
Re: Encrypt the password in the database
Posted: Wed Oct 31, 2012 3:37 pm
by denis
Ok thanks for your answer i will try it as soon as possible
Best regards
Re: Encrypt the password in the database
Posted: Mon Nov 12, 2012 9:20 am
by denis
Just to confirm that it works, i choosed system-wide configuration to not override the blAdminSecurityService bean! For "site" you must change :
- in your applicationContext-security.xml
Code: Select all
<bean id="blPasswordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />
<sec:authentication-manager alias="blAuthenticationManager">
<sec:authentication-provider user-service-ref="blUserDetailsService">
<sec:password-encoder ref="blPasswordEncoder">
<sec:salt-source system-wide="${password.salt}" />
</sec:password-encoder>
</sec:authentication-provider>
</sec:authentication-manager>
<!-- Redefine blCustomerService to configure salt -->
<bean id="blCustomerService" class="org.broadleafcommerce.profile.core.service.CustomerServiceImpl">
<property name="salt" value="${password.salt}" />
</bean>
Hope it can help for anybody else !
Re: Encrypt the password in the database
Posted: Mon Nov 12, 2012 9:56 am
by denis
One more thing!
There is an issue on Demo Site.
When you use MD5 encryption :
- Register new customer
- Go to customer settings
- Change password
==> Message "Current password is invalid" is always displayed because changePasswordValidator compare a non encrypt string with the encrypted password stored in database.
To fix the issue you should encode the password before validate it in BroadleafChangePasswordController :
passwordChange.setCurrentPassword(passwordEncoder.encodePassword(form.getCurrentPassword(), getSalt(CustomerState.getCustomer()));
Best regards
Re: Encrypt the password in the database
Posted: Fri Jan 18, 2013 5:12 am
by bhavani
Hi,
I tried these in my development, while running the build.xml, it doesn't shows any error, but i can't able to login into my admin account...and also in front-end all the menus are coming vertically...can any one help me on this??
Re: Encrypt the password in the database
Posted: Mon Feb 25, 2013 8:48 am
by staleks
I have same problem.
ChangePasswordValidator will pickup un-encoded password from form, and try to compare it to value from Customer.
Ofcourse those two doesn;t match, and therefore ChangePasswordValidator always exit with failed validation on current password field.
Does someone has some fine solution on this ?
Re: Encrypt the password in the database
Posted: Wed Mar 13, 2013 5:49 pm
by RapidTransit
I'd just like to make a comment that MD5 is not really a "best practice" anymore, Some believe SHA-256 with an MD5'ed salt is the bare minimum.